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We present a new syntactical proof that first-order Peano Arithmetic with Skolem axioms is con- 
servative over Peano Arithmetic alone for arithmetical formulas. This result - which shows that 
the Excluded Middle principle can be used to eliminate Skolem functions - has been previously 
proved by other techniques, among them the epsilon substitution method and forcing. In our proof, 
we employ Interactive Realizability, a computational semantics for Peano Arithmetic which ex- 
tends Rreisel's modified realizability to the classical case. 



1 Introduction 

For a long time it has been known that intuitionistic realizability can be used as a flexible tool for 
obtaining a wealth of unprovability, conservativity and proof-theoretic results ll23l l25l . As title of 
example, with Kreisel's modified realizability |[T7l . one can show the unprovability of Markov Prin- 
ciple in Heyting Arithmetic in all finite types (HA W ) and the conservativity of HA ffl with the Axiom 
of Choice (AC) over HA 63 for negative formulas. In both cases, one starts by showing that any for- 
mula provable in one of those systems can be shown to be realizable in HA 68 . In the first case, one 
proves that the realizability of Markov Principle implies the solvability of the Halting Problem, and 
concludes that Markov Principle is unprovable in HA ffl . In the second, one exploits the fact that the 
assertion "/ realizes A" is exactly the formula A when A is negative and concludes that HA ffl proves A. 

The situation in classical logic has been very different: for a long time it did not exist any re- 
alizability notion suitable to interpret directly classical proofs, let alone proving independence or 
conservation results. However, recently several classical realizability interpretations have been put 
forward. Among them: Krivine's classical realizability fl8l . which has been shown in |fl9l to yield 
striking unprovability results in Zermelo-Fraenkel set theory, and Interactive realizability H]|4l|6l|7l, 
which has been shown in (3HH to provide conservation results for n^-formulas. 

Being a tool for extracting programs from proofs, it is however quite natural that Interactive re- 
alizability is capable of producing 11° -conservativity results. The aim of this paper is to prove that 
Interactive realizability can as well be used to prove other conservativity results. In particular, let us 
consider first-order classical Peano Arithmetic PA, which is H A + EM, where EM is the excluded mid- 
dle over arithmetical formulas. Then we give a new syntactic proof that PA with the Skolem axiom 
scheme SK is conservative over PA for arithmetical formulas - a result first syntactically proven by 
Hilbert and Bernays |[T6l by means of the epsilon substitution method. The result is particularly inter- 
esting since it implies that classical choice principles can be eliminated by using the excluded middle 
alone. The structure of our proof resembles the pattern of the intuitionistic-realizability conservation 
proofs we have sketched above and allows to obtain a stronger result. Namely, we shall show that if 
an arithmetical formula A is provable in HA ffl + EM + SK, then the assertion "t realizes A" is provable 
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in HA ffl alone. Afterwards, we shall show the provability in HA ffl + EM of the assertion "(t realizes A) 
implies A" and thus conclude that HA 60 + EM proves A. Since this latter system is conservative over 
PA for arithmetical formulas, we obtain the result. 

In our opinion, there are at least two reasons our proof technique is interesting. As remarked by 
Avigad lfTOl . the methods based on the epsilon-method, Herbrand's Theorem or cut-elimination lead 
to an exponential increase in the size of the proof, when passing from a proof in HA ffl + EM + SK 
to a corresponding proof in HA + EM; instead, we conjecture that our transformation is polynomial. 
To the best of our knowledge, there is only another method that does equally well, which is Avigad's 
ifTOll . The technique of Avigad is related to ours since it uses the method of forcing, in which the con- 
ditions are finite approximations of the Skolem functions used in the proof. With forcing one avoids 
speaking about infinite non-computable objects (i.e. the Skolem functions) and can approximate the 
original proof. Avigad's method is very simple and elegant when there is only one Skolem function to 
eliminate, but it becomes more complicated and difficult to handle when dealing with several Skolem 
functions. In fact, a nesting of the notion of forcing together with a technical result about elimination 
of definitions become necessary and the method loses some intuitive appeal. Instead, the use of Inter- 
active realizability allows to deal with all the Skolem functions at the same time, and we conjecture 
that the resulting proofs are much shorter than the ones obtained by forcing. Moreover, the notion of 
forcing as an approximation of model-theoretic truth is harder to come up with, and it is much more 
natural to talk about states and approximations when dealing with programs. 

Secondly, the theory of Interactive realizability offers a uniform explanation of a number of differ- 
ent phenomena. Rather than proving each particular meta-theoretic result about classical Arithmetic 
with an ad-hoc technique, one employs a single methodology. For example, one may prove conser- 
vativity of PA over HA for IT^-formulas by a negative translation followed by Friedman's translation 
[13]; one may extract from proofs terms of Godel's System T by realizability or functional interpreta- 
tions lfl4l ; one may prove the result about the elimination of Skolem functions with forcing; one may 
extract from proofs strategies in backtracking Tarski games by analyzing sequent calculus proofs [12]; 
one may obtain a simple ordinal analysis of PA + SK by using update procedures j9|. Instead, with 
the theory of Interactive realizability one obtains all the results above as a consequence of a single 
concept (see EEUll). 

Plan of the paper In Section $2] we review the term calculus ^ lass in which Interactive realizers 
are written, namely an extension of Godel's system T plus Skolem function symbols for a countable 
collection of Skolem functions. In Section £|3]we recall Interactive realizability, as described in 0, a 
computational semantics for HA ffl + EM + SK, an arithmetical system with functional variables which 
includes first-order classical Peano Arithmetic and Skolem axioms. In Section $4] we use Interactive 
realizability to prove the conservativity of HA ffl + EM + SK over HA ffl + EM for arithmetical formulas. 
In Section Sj5]we explain in more detail how to formalize the proofs of Section @]in HA ffl + EM and 
HA + EM. 

2 The Term Calculus 

In this section we follow [7] and recall the typed lambda calculi & and ^ lass in which interactive 
realizers are written. 2? is an extension of Godel's system T (as presented in Girard lfl5l ) with some 
syntactic sugar. The basic objects of 2? are numerals, booleans, and its basic computational constructs 
are primitive recursion at all types, if-then-else, pairs, as in Godel's T. ^ also includes as basic objects 
finite partial functions over N and simple primitive recursive operations over them. 3F Qms is obtained 
from by adding on top of it a collection of Skolem function symbols <t»o, > $2) • • • > of type N — > N, 
one for each arithmetical formula. The symbols are inert from the computational point of view and 
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realizers are always computed with respect to some approximation of the Skolem maps represented 
by 00,^1,^2, - • •• 

2.1 Updates 

In order to define 3? , we start by introducing the concept of "update", which is nothing but a finite 
partial function over N. Realizers of atomic formulas will return these finite partial functions, or 

"updates", as new pieces of information that they have learned about the Skolem function <t>o> > 

Skolem functions, in turn, are used as "oracles" during computations in the system =5c lass . Updates are 
new associations input-output that are intended to correct, and in this sense, to update, wrong oracle 
values used in a computation. 

Definition 1 (Updates and Consistent Union) We define: 

1. An update set U, shortly an update, is a finite set of triples of natural numbers representing a 
finite partial function from N 2 to N. 

2. Two triples (a,n,m) and (a 1 ,n' ,m') of numbers are consistent if a = a' andn = n' implies m = m'. 
Two updates Ui,U2 are consistent ifU\UU2 is an update. 

3. U is the set of all updates. 

4. The consistent union U\ &U2ofUi,U2&tJ is U\ U U2 minus all triples ofl/2 which are incon- 
sistent with some triple ofU\. 

The consistent union U\%f U2 is an non-commutative operation: whenever a triple of Ui and a 
triple of U2 are inconsistent, we arbitrarily keep the triple of U\ and we reject the triple of I] 2, therefore 
for some U\,U2 we have U\ ^ U2 7^ U2 % U\. ^ represents a way of selecting a consistent subset of 
Ui U U 2 , such that U^U 2 = Ui = U 2 = 0. 

2.2 The System ST 

3? is formally described in figure [TJ Terms of the form if^ t\ t% £3 will be sometimes written in the 
more legible form if t\ then t% else £3. A numeral is a term of the form S(. . . S(0) . . .). For every 
update U G U, there is in ST a constant U : U, where U is a new base type representing U. We write 
for 0. In 3T, there are four operations involving updates (see figured]): 

1. The first operation is denoted by the constant min : U — > N. min takes as argument an update 
constant U ; it returns the minimum numeral a such that (a,n,m) £U for some d.m£(l, if any 
exists; it returns otherwise. 

2. The second operation is denoted by the constant get : U — > N 3 — > N. get takes as arguments an 
update constant U and three numerals a,«,Z; it returns m if (a,n,m) £ U for some m G N (i.e. if 
(a,n) belongs to the domain of the partial function U); it returns / otherwise. 

3. The third operation is denoted by the constant mkupd : N 3 — > U. mkupd takes as arguments three 
numerals a,n,m and transforms them into (the constant coding in 3?) the update {(a,n,m)}. 

4. The forth operation is denoted by the constant LLU : U 2 — >• U. LLU takes as arguments two update 
constants and returns the update constant denoting their consistent union. 
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Types 

o\t ::= N | Bool U | ct -> t | tr x r 

Constants 

c ::= R T | if T | | S | True | False | min | get | mkupd | W \ U (VI/ £ U) 

Terms 

r,j( ::= c | x T | ?m Ax t m | (t,u) \ 7Zqu \ %\u 
Typing Rules for Variables and Constants 

x T : T | : N | S : N — > N | True : Bool | False : Bool | U : U (for every ?7 G U) | IUI : U^U^U 

| min : U -> N | get : U N -> N -> N -> N mkupd : N -> N N -)• U 

| if T : Bool — > T ^ T — > T | R T : t^(N^(t^t))— >N^T 

Typing Rules for Composed Terms 

t : g — > T u : o u : t u : a t : x u : To x Ti 

tu : T Xx a u : cr — » T {M,f):rjxT ;r ; i< : T/ ' J 

Reduction Rules All the usual reduction rules for simply typed lambda calculus (see Girard Q5 |) plus the rules for recur- 
sion, if-then-else and projections 

R^i/vO i — y u R T Mi'S(f) n- vf(R T Mv?) ifxTruewv h-s- u if T False«v h> v lti\UQ,u,\) i = 0, 1 

plus the following ones, assuming a,n,m, I be numerals: 

. _ (a \f 3m,n. (a,n,m) <E U AV(b,iJ) e U. a < b — — ,, „ 

1 otherwise 

m if 3m. (a,n,m) £ U 



getU anl ^ < ' mkupdarcm h-> {(a,n,m)} 

I otherwise 



Figure 1: the extension 2? of Godel's system T 

We observe that the constants min, get, mkupd, t/,W, and the type U are just syntactic sugar and 
may be avoided by coding finite partial functions into natural numbers. System 3f may thus be coded 
in Godel's T. 

As proved in mill, 2? is strongly normalizing, has the uniqueness-of-normal-form property and 
the following normal form theorem also holds. 

Lemma 1 (Normal Form Property for 3F) Assume A is either an atomic type or a product type. 
Then any closed normal term t 6 2? of type A is: a numeral n : N, or a boolean True, False : Bool, 
or an update constant U : U, or a constant of type A, or a pair (u,v) : B xC. 

2.3 The System 5^ lass 

We now define a classical extension of 2? , that we call ^ kss , with a Skolem function symbol for each 
arithmetical formula. The elements of ^ kss will represent (non-computable) realizers. 

Definition 2 (The System 2^^) Define 2? class = 27 ' + Sf"€, where is a countable set of Skolem 
function constants, each one of type N — > N. We assume to have an enumeration <t>o,<&i,<&2, ■ ■ ■ of all 
the constants in 5*"io (while generic elements of will be denoted with letters ct?,^, . . .). 

Every <t> G S?"io represents a Skolem function for some arithmetical formula 3y N A(x,y), taking 
as argument a number x and returning some y such that A(x,y) is true if any exists, and an arbitrary 
value otherwise. In general, there is no set of computable reduction rules for the constants in J5^, 
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and therefore no set of computable reduction rules for £? aiKS - Each (in general, non-computable) 
term t € is associated to a set \t\s\ \s € £?,s : N 2 — > N} C 3f of computable terms we call its 
"approximations", one for each term s : N 2 — >■ N of 3? , which is thought as a sequence So,si,S2, . . . of 
computable approximations of the oracles <t>o> ^1 j ^2; • • • (with we denote s(i)). 

Definition 3 (Approximation at State) 

1. A state is a closed term of type N 2 — > N of 2? . Ifi is a numeral, with Sj we denote s(i). 

2. Assume t £ ^ ams and s is a state. The "approximation oft at a state s " is the term t [s] of 2? 
obtained from t by replacing each constant <t>,- with S{. 

3 Interactive Readability for HA W + EM + SK 

In this section we introduce a notion of realizability based on interactive learning for HA 60 + EM + SK, 
Heyting Arithmetic in all finite types (see e.g. Troelstra [26 ]) plus Excluded Middle and Skolem axiom 
schemes for all arithmetical formulas. Then we prove our main Theorem, the Adequacy Theorem: "if 
a closed formula is provable in HA ffl + EM + SK, then it is realizable". 

We first define the formal system HA® + EM + SK. We represent atomic predicates of HA® + 
EM + SK with closed terms of S* am of type Bool. Terms of HA ffl + EM + SK are elements of ,%^ s 
and thus may include the function symbols in 5?"$ '. We assume having in Godel's T some terms 
=>Booi: Bool — > Bool — > Bool,-i Bool : Bool — > Bool, V Bo oi : Bool — > Bool — > Bool . . ., implementing 
boolean connectives. As usual, we shall use infix notation: for example, we write t\ =^booi h in place 
of 

=^Booi hh and similarly for the other connectives. 
3.1 Language of HA" + EM + SK 

We now define the language of the arithmetical theory HA ffl + EM + SK. 

Definition 4 (Language of HA ffl + EM + SK) The language ^„ ass of HA ra + EM + SK is defined as 
follows. 

1. The terms of ' Jz? CTa .„ are all t € 3* class . 

2. The atomic formulas of ££ class are all Q € 2? aass such that Q : Bool. 

3. The formulas of ££ class are built from atomic formulas of Jf aass by the connectives V,A,— >• 
, \ ,V,3 as usual, with quantifiers possibly ranging over variables x x , y x ,z x , ■ ■ ■ of arbitrary 
finite type X of ^ c/fl ., r 

4. A formula ofJf aass is said arithmetical if it does not contain constants in .5^"^ and all its quanti- 
fiers range over the type N, i.e. it has one of the following forms: Vx N A, 3x N A,A VB,A AB,A — > 
B,A\B,P, with A,B arithmetical and P atomic formula of S 7 ' . 

We denote with _L the atomic formula False and with -A the formula A — > _L. A \B is the dual 
of implication as in bi-intuitionistic logic and means "A and the opposite of B". If F is a formula 
of Jz?cia SS in the free variables xf , . . . ,x^ n and t\ : Ti,... ,t n : % n are terms of J2? C k SS , with F{t\, . . . ,t„) 
we shall denote the formula F[/i/jci, . . . ,t n /x n ]. Sequences of variable Xj, . . . ,xf will be written as x. 
We denote with (x) a term of in the free numeric variables x representing a injection of N into N. 
Moreover, for every sequence of numerals n = n\,...,rik, we define (n) := (x) [n/x] and assume that 
the function n h-> (n) is a bijection. 
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The Excluded Middle axiom scheme EM is defined as the set of ah formuias of the form: 

Vx N .A(x)V^A(x) 

where A is an arithmetical formula. 

The Skolem axiom scheme SK contains for each arithmetical formula A (x,y) an axiom: 

Vx N . 3y N A(x,y) ^A(x,<D(x)) 

with <t> € yff. We assume that for every <$> € S^tf there is in SK one and only one formula in 
which <t> occurs. Such unique formula A is said to be the formula associated to <t> and <t> will be 
sometimes written as <t> A . If s is a state and <t> ( - = <J>a> with sa we denote s, and with mkupdAw? we 
denote mkupdiut. We claim that the result of this paper would even hold if the formula A was not 
required to be arithmetical, i.e. it was allowed to contain other Skolem functions previously defined by 
other Skolem axioms, possibility which in Avigad's case ifTUl complicates the elimination technique 
considerably. 

For each formula F of Jz? C i ass) its involutive negation F 1 - is defined by induction on F. First, we say 
that an atomic formula P is positive if it is of the form -■booi • • • _, booiG» Q is not of the form -ibooi^> 
and the number of ->booi in front of Q is even. Then we define: 



(-Booi/'r 


= P (if P positive) 


P x 


= -'Booi^ 5 (if ^ positive) 


(AAB) 1 


= A ± VB ± 


(AVB) X 


= A ± AB ± 


(A — > B) 1 - 


= A\B 




= A^B 


(Vx T A) x 


= 3x T A^ 


(Bx'A) 1 - 


= Vx T A x 



As usual, one has (i 7 ^)^ = F . 

We now fix a special set of formulas V. 

Definition 5 (Set T) We fix an arbitrary finite set V of arithmetical formulas A(x,y) of ££ class . 

In the following, V will serve as a parameter in order to relativize the definitions of the realizability 
relation and of the ordering of states provided in Q. The idea is that any given proof in the system 
H A ffl + EM + SK uses only a finite number of instances of EM and SK. Thus, it is enough to specialize 
the atomic case of the definition of realizability in such a way it refers only to the formulas in V. The 
restriction is necessary in order to avoid to speak about the truth of an infinite number of formulas, as 
done in Q. When we shall have to interpret a particular proof P, we will choose V as containing all 
the sub-formulas of the classical axioms appearing in P. 

3.2 Truth Value of a Formula in a State 

The axioms of the system HA^ + EM + SK give a great computational power to the system ^ lass : 
thanks to the use of Skolem functions as oracles, one can "compute" by a term \f of ^i ass the truth 
value of any arithmetical formula F. When one effectively evaluates xf in a particular state s, we say 
that one computes the truth value of a formula F in a state s. 

Definition 6 (Truth Value of a Formula F in a State s) For every arithmetical formula F(x) of '-5f a « 

we define, by induction on F, a term Xf '■ Bool of system 3~ aass , with the same free variables ofF: 
Xp = P, P atomic 

Xavb = Xa Vbooi Xb XvvM = Xa [<tV (*) h] Xa^b = Xa A Bo oi Xb^ 

Xaab = Xa Abooi Xb XsfA = Xa [<*>a (x) /y] Xa^b = Xa =>booi Xb 

We define F s := Xf[s] and call it the truth value of F in the state s. 
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Intuitively, if F(n) is a closed formula, our intended interpretation is: 

1. Xf(") i s a term °f ^ciass denoting, in any standard model of HA 68 + EM + SK, the truth value of 
F{n). 

2. F s {n) is a term of computing what would be the truth value of F(n) in some standard model 
of HA 68 + EM under the (possible false) assumption that the interpretation mapping <t>, to Sj 
satisfies the axioms of SK. 

We remark that thus F s (n) is only a conditional truth value: if F s (n) is not the correct truth value 
of F{n) - it may well happen - then the interpretation mapping <t>, in s, does not satisfy the axioms 
of SK. This subtle point is what makes possible learning in Interactive realizability: whenever a 
contradiction follows, realizers are able to effectively find counterexamples to the assertion that the 
interpretation mapping <t>,- in Sj satisfies the axioms of SK. We also observe that this way of computing 
the truth of a formula comes from the epsilon substitution method (see Avigad [9], Mints et al. ll20lB . 

Every state s is considered as an approximation of the Skolem functions denoted by the constants 
of for each formula A, sa may be a correct approximation of 0^ on some arguments, but wrong 
on other ones. More precisely, we are going to consider the set def(j) of the pairs (/, («)) such that 
<t>, = (t> A and A € F => 3y N A(n,y) — >■ A(n,Si(n)) is true as the real "domain" of s, representing the set of 
arguments at which is surely a correct approximation of <t>,, in the sense that Sj returns an appropriate 
witness if any exists. We point out that if <t>, = A and A ^ V, then trivially (i, (n)) £ def (s). The 
choice is made just for technical convenience, since one is not interested in the behaviour of s outside 
P. We also define an ordering between states: we say that s' > s if, intuitively, s' is at least as good an 
approximation as s. Thus, we ask that if s is a correct approximation at argument (i, (n)) also s' is and 
in particular s\ (n) = Sj (n) . 

Definition 7 (Domains, Ordering between States) 

1. We define 

def(j) = {(/, (H)) | <t> ; = <$> A and (A e V => 3y"A(H,y) ^A(n, Si (n))} 
where i and n range over numerals and sequences of numerals. 

2. Let s and s' be two states. We define s' >s if and only if for all (i, (n)), (/, (n)) G def (s) implies 
Si(n) =s' i {n). 

We remark that by definition, s' > s implies def(s') D def(j) and that thanks to the restriction 
to r the relation s' > s is arithmetical, because the condition (i, («)) G def (s) is non-trivial only for 
finitely many i. From now onwards, for every pair of terms t\,t2 of system we shall write t\ = ?2 
if they are the same term modulo the equality rules corresponding to the reduction rules of system 2? 
(equivalently, if they have the same normal form). 

3.3 Interactive Realizability 

For every formula A of ££ Q ^, we now define what type |A| a realizer of A must have. 

Definition 8 (Types for realizers) For each formula A of J£ class we define a type \A\ of 3? aass by induc- 
tion on A: 

\P\ = U, ifP is atomic 
\AAB\ = |A| x \B\ |3jc t a| = t x |A| |A\B| = |A| x 

|AVB| = Bool x (|A| x \B\) |WA| = t — >■ |A| |A -> B\ = \A\ -)■ \B\ 
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Let now po := %o : Ob x (oi x 02) — > do, pi := Tio^i : do x (di x 02) — > <J\ and P2 := 7Ti TTi : 
ao x (d x 02) — > d2 be the three canonical projections from Gq x (cTi x 02). We define the realizability 
relation t [II — F, where ? € ^i ass , F 6 =£?cia SS and t : |F|. 

Definition 9 (Interactive Realizability) Assume s is a state, t is a closed term of 3? class , F € 5?aau is 

a closed formula, and t : |F|. We define first the relation t llh s F by induction and by cases according 
to the form ofF: 

1. t \\\- s Qfor some atomic Q if and only ifU = t[s] implies: 

• for every (i,n,m) € U, 0; = for some A £ V, and A s {n,Si{n)) = False and A s (n,m) = 
True. 

• U = implies Q[s] = True 

2. t \\\- s A/\B if and only if Hot \\\- s A and %\t Ilk, B 

3. t \\\- s A y B if and only if either po?[s] = True and pi? \\\- s A, or po?[s] = False and P2? W\~ S B 

4. t\\\- s A — > B if and only if for all u, ifu llh s A, then tu \\\- s B 

5. t llh s A\B if and only if It^t llh iS - A and %\t W s B^ 

6. t lll- s Va" t A if and only if for all closed terms u : T of ' , tu \\V S A[u/x] 

7. t llh s 3x T A if and only for some closed term u:x of 2? , %tyt\s\ = u and Kit \\\- s A[u/x] 
We define t III- F if and only if for all states s of '3 ' , t \\\- s F. 

The ideas behind the definition of Ilk in the case of HA ffl + EM + SK are those we already ex- 
plained in 0. A realizer is a term t of ^ lass , possibly containing some non-computable Skolem 
function of 5^"^; if such a function was computable, t would be an intuitionistic realizer. Since in gen- 
eral t is not computable, we calculate its approximation t [s] at state s. t is an intelligent, self-correcting 
program, representing a proof/construction depending on the state s. The realizer interacts with the 
environment, which may provide a counter-proof, a counterexample invalidating the current construc- 
tion of the realizer. But the realizer is always able to turn such a negative outcome into a positive 
information, which consists in some new piece of knowledge learned about some Skolem function <t>,. 

The next proposition tells that realizability at state s respects the notion of equality of ^ lass terms, 
when the latter is relativized to state s. That is, if two terms are equal at the state s, then they realize 
the same formulas in the state s. 

Proposition 1 (Saturation) If t\[s\ = t2[s] and u\[s] = U2[s], then t\ \\\- s B[u\/x] if and only if t2 \\\~ s 
B[u 2 /x]. 

Proof. By straightforward induction on A. 

In the following, we use a standard natural deduction system for HA ffl + EM + SK, together with 
a term assignment in the spirit of Curry-Howard correspondence for classical logic. We denote with 
HA ffl + EM + SK h t : A the derivability relation in that system, where t is a term of ^ lass and A is a 
formula of J2? C ia SS - All details can be found in fil. |T71. 

The main theorem about Interactive realizability is the Adequacy Theorem: if a closed formula is 
provable in HA 60 + EM + SK, then it is realizable (see [7] for a proof). 

Theorem 1 (Adequacy Theorem) If A is a closed formula such that HA® + EM + SK h t : A and all 

the subformulas of the instances of EM and SK used in the derivation belong to V, then 1 1 1 1 — A. 
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4 Conservative of HA W + EM + SK over HA W + EM (HA + EM) 

The aim of this section is to use Interactive realizability in order to prove that for every arithmetical 
formula A, if HA® + EM + SK h A then HA 68 + EM h A (HA + EM h A). Since we know by the 
Adequacy Theorem ffl that HA ffl + EM + SK h A implies HA ffl + EM + SK h t : A and HA® proves 
Hlh A, our goal is to show in HA W + EM that 1 1 1 1 — A implies A. 

The intuitive reason this latter result is true is the following: one can always find an approximation 
s of the Skolem functions of t which is good enough to contain all the information needed by t to 
compute the true witnesses for A against any particular purported counterexample. The idea is that 
one has only to collect finitely many values of each Skolem function called during the execution of 
the program represented by t. To this end, it suffices to invoke the excluded middle a number of times 
which, intuitively, can be expressed in a proof formalizable in HA" 5 + EM. This is possible because 
HA ffl + EM is strong enough to prove the normalization of each term t of 5£i ass with respect to any 
interpretation of its Skolem functions. Finally, if there existed a counterexample to A, it would be 
possible to falsify the construction of the realizer t in the state s. Since t is a self-correcting program, 
it would be able to correct one of the values of s it has used in the computation of some witness for A. 
But s is constructed as to be correct on all the values used by t, which entails a contradiction. 

For example, let A = 3x iS \/y w 3z N P(x, y,z). Then one can find a state s which contains all the values 
of the Skolem functions needed to compute n = 7tot[s]. Suppose a counterexample m to the formula 
\/y 1i 3z N P(n,y,z) existed. Then one can find a state s' > s which contains all the values of the Skolem 
functions needed to compute / = Tto((Tt\t)m) [s'\. Now, we would have that P(n,m,l) is false; thus, 
Tt\ {{ii\t)m) [s'] would be equal to some update U containing some corrections to s'. We shall show that 
this will not be the case, and the intuitive reason is that s' can be chosen as to be correct everywhere it 
is needed. 

We now elaborate our argument. We start with a definition axiomatizing the informal concept that 
a state s contains all the information needed to compute the normal form of a term t of ground type. 
Namely, if for every s' extending s the evaluation of t in the state s' gives the same result obtained 
evaluating t in s, then we may assume all the relevant information is already in s. 

Definition 10 (Definition of a term in a state s) For every state s and term t of S? aass of atomic type, 
we define t ^ (and we say "t is defined in s") as the statement: for all states s' > s, t[s'] = t[s]. 

Remark. There is another, perhaps more intuitive way to express the concept of "being defined in 
the state s". For every state s we may define a binary reduction relation iA C 3T aa!ls x ^i ass as follows: 
t A u if either t \- > u in ^ lass or u is obtained from t by replacing one of its subterms <&i(n) with a 
numeral m = Si(n) such that (i,n) S def(s). Then one could say that t is defined in s if t A a where 
a is either a numeral, a boolean or an update. Though this approach works well, it is unsuitable to be 
directly formalized in HA ffl , because in that system one cannot express this syntactical reasoning on 
terms. 

We now define for every type % a set of "computable" terms of type x by means of the usual Tait- 
style computability predicates [22]. In our case, following the approach of the previous discussion, 
we consider a term t of ground type to be computable if for every state s, one can find a state s' > s 
such that t is defined in s'. The notion is lifted to higher types as usual. 

Definition 11 (Computable terms) 

For every type x of £?a ass , we define a set of closed terms of ,%, ass of type X as follows: 

• ||N|| ={t : N | for all states s there is a state s' >s such that t \ s } 
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• ||Bool|| = {? : Bool \for all states s there is a state s' > s such that t 45 } 

• ||U|| = {? : U | for all states s there is a state s' >s such that t ^ } 

• ||t -» a\\={t | Vm g ||t|| tu g ||a||} 

• ||t x a||={f 1 7iQt G ||T||an<f %\_t G ||a||} 

In order to show that every term t in ^ ass is computable, as usual we need to prove that the set 
of computable terms is saturated with respect to some suitable relation. In our case, two terms are 
related if they are equal in all states greater than some state. 

Lemma 2 For every term t : p of 3? clas:i , if for every state s there exists a state s' >s and u £ ||p || such 
that for all state s" > s', t[s"] = u[s"\ then t G ||p||. 

Proof. By induction on the type p. 

• p = N. Let s be a state. We have to show that there exists a state r > s such that t ^. By as- 
sumption on t there exists a state s' > s and u G ||N|| such that for all s" > s', t[s"] = u[s"]. Since 
u G ||N||, there exists s" > s' such that u I s . Let r = s"; we prove t ^ . Let r' > r. We have that 
u[r'] =u[r], by u JT, and t[r'] = u[r'], since r' > s'. Hence, t[r'] = u[r] = t[r\. We conclude t ^ 
and finally t G ||N||. 

• p = Bool,U: as for the case p = N. 

• p = T — > a. Let v G |[t||. We have to show that tv G ||(t||. Let s be any state. By assumption on 
t there exist a state s' > s and w G ||t — ► a|| such that for all s" > s', t[s"] = u[s"}. Therefore for 
all s" > s', tv[s"] = uv[s"] and uv G ||a||. Hence, by induction hypothesis, tv G \\<j\\. 

• p = To x X\. Let i G {0, 1}, we have to show that ntf G ||t,-||. Let s be any state. By assumption 
on t there exist s' > s and u G ||Tq X Ti|| such that for all s" > s', t[s"] = u[s"j. Therefore for all 
s" > s', Kjt[s"] = Kiu[s"] and KjU G ||T;||. Hence, by induction hypothesis 7r,-f G ||t,-||. 

We are now ready to prove, by using the excluded middle alone, that every term t of ^i ass is 
computable. 

Theorem 2 (Computability Theorem) 

Let v : T be a term of 2? C ia SS an d suppose that all the free variables of v are among x° l ,. .. ,x%". If 
h G ||(7i ||, G \\a n \\, thenv[h/x° t n /x°»\ G ||t||. 

Proof. We proceed by induction on v. We first remark that if u = t and t G ||t||, then u G ||t|| by 
trivial application of Lemma |2l 

Notation 1 For any term w in =5c fas .„ we denote w\t\/x1 l ,t n /x a "} with w. 

1. v is a variable xf : <7; and T = Oi. Then, v = t\ G ||<7/|| = ||t||. 

2. v is 0, True, False, U : trivial. 

3. v is uw, then by means of typing rules, u : a — > T, w : a. Since by induction hypothesis 
u G ||(7 -» t|| and w G ||a||, we obtain v = TTvv G ||t||. 
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4. v is Ax Tl .w. Z\ — y x 2 . Then, by means of typing rules, u : T2. Suppose now, for a term ? : Ti in 
J^ lass , that ? G ||Ti II . We have to prove that v? G We have: 

vt = (Ax Tl .u) [h /jcf • • • t n /x^]t 

= {Xx^Ujtiti/xf ■ ■■tn/x?] = U [t/X n ][h/X? ■ -tn/jg] = u[t/x' 1 h/xf • ■•/„/*«"] 



By induction hypothesis, this latter term belongs to We conclude vf G ||i2||. 

5. v is (m,w) : To x Ti. By means of typing rules, u : To, w : X\ and by induction hypothesis 
Hqv = u G 1 1 To 1 1 and 7Tiv = vv G ||Ti ||. The thesis v G ||To x X\ || follows by definition. 

6. v is 7T,(w) : Xj, i = 0,1, where m : To x Ti. %\u G ||T;|| because w G 1 1 To x l\ || by induction hypoth- 
esis. 

7. v is if T : Bool — > x — > x — > T. Suppose that « G ||Bool||, W! G ||t||, M2 G ||t||. Then, for all states 
s there exists s' >s such that u 4? . We have to prove that \\ z uu\ui G ||t||. Let s be a state and let 
s' > s be such that m . If wfj 7 ] = True, then for all s" > s', if T MMiM2[^ // ] = u\ [s"] and u\ G ||t||. 
If u[s'] = False, then for all s" > s', \f T uuiii2[s"] = U2[s"] and 112 G ||t||. By Lemma|2j we 
conclude \^ x uu\U2 G ||t||. 

8. v is R T : T — > (N — > (t — > t)) — )• N — > t. Suppose that u G ||t||, w G ||N — > (x — > x)\\, z G ||N||. We 
have to prove that R T uwz G ||t||. By a plain induction, it is possible to prove, for each numeral 
n, R T uwn G ||t||. Let s be a state and let s' > s be such that z | s - Let z[s'] = n with n numeral. 
Then for all s" > s', 

R r uvz[s"] = Rruvn[s"] G ||t|| 
By Lemma[2l we conclude R x uwz G ||t||. 

9. v is min : U — > N. Suppose, for a term u in =^i ass , that u G \\U\\. Let 5 be a state. Since u G ||f/||, 
there exists s' > s such that u J? . We have to prove that min m G ||N||. There exists an update ?7 
such that for all s" > s 1 , u[s"] = U. Then for all s" > s', minM^"] = mini/ = n for some numeral 
n. By definition of ||N||, min u G ||N||. 

10. v is iyj : U — > U — > U. Suppose that u\ G ||U|| and w 2 G ||U||. We have to prove that W u\U2 G ||U||. 
Let s be a state. Since u\ G ||U|| there exists s' > s such that u\ ^ . Since U2 G ||U||, there exists 
s" > s' such that m 2 J; v - Therefore, there exist two constants U 1 and U2 such that for all s'" > s", 
u x \s"'\ = Ui and u 2 [s'"] = U 2 . Finally, for all s'" > s" , 

y mi «2 [■*'"] = y UiU 2 = U3 

and by definition of ||U||, y G ||U||. 

11. v is S, mkupd or get. Analogous to the previous case. 

12. v is a constant <t>, : N — > N in y^. Suppose now, for a term u : N, that u G ||N||. We have to prove 
that <J>;« G ||N||. Let s be a state. We must show that there exists a/>s such that <t>,-w 4? ■ Since 
u G ||N||, there exists a state > s such that w | 4 . Let « = u[s'], with « numeral, and m = s'^n). 
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Let 0, = ^A(x,y)- If A ^ T, then trivially (i,n) G def(V) by definition |7] Therefore for all s" > s', 
<t>iii[s"] = s'( (n) = m and we are done. Hence, we may assume A G V. There are two cases, and 
this is the only point of this proof in which we use EM. 

(a) A(n,m) is true. Therefore, for all s" > s', s'[{n) = m because (i,n) G def(s'). Thus, for all 
s" > s', <S>iii[s"] = s'((n) = m, which is the thesis. 

(b) A(n,m) is false. If there exists I such that A(n,l) is true, then let 

s" := Ax N A.y N . if x = i AbooiJ = n then m else s' x (y) 

Then, for all s'" > s" , s'!'{n) = I because G def(s")- Thus . for a11 s "' > s "> = 
s'l'(n) = I, which is the thesis. If there is no I such that A(n,l) is true, then trivially 
(i,n) G def(Y). Thus for all s" > s', 4>,-«[s"] = s'[{n) = m and we are done. 

According to the Definition [6] of the truth value A s of a formula A in a state s, when we compute 
A s we need only a finite number of Skolem function values, one for each quantifier of A. Thus, we 
can show with the excluded middle that for every state s there exists a state s' > s such that when we 
evaluate A in the state s' we obtain the real truth value of A. 

Proposition 2 LetA(x) be any arithmetical formula and n be numerals. For every state s, there exists 
a state s' >s such that A" (n) = True if and only ifA(n) is true. 

Proof. We prove the thesis by induction on A. Let s be any state. The cases in which A is atomic 
or A = B V C, B A C, B — > C are trivial. Let us consider those in which A starts with a quantifier. 

• A(n) = 3y N B(n,y). By the excluded middle, we extend s to a state s' > s such that m = s' B {n) 
implies that 

3fB(n,y)-+B{n,m) 

By induction hypothesis, there exists a state s" > s' such that B(n,m) is true if and only if 

B s (n,m) =XB{n,m)[s"] = True 
Assuming <t>,- = <t> e , since (i, (n)) G def (s'), we have s'g(n) = s' B (n). Since 

A s "(n) =XB(fi,<t> B {n))[ S "} = X B(n,m)[s"] 
and A(n) is equivalent to B(n,m), we obtain the thesis. 

• A(n) = \/y n B{n,y). By the excluded middle, we extend s to a state s' > s such that m = s' B± (n) 
implies that 

3y N B x (n,y) ^ B ± (n,m) 
By induction hypothesis, there exists a state s" > s' such that B ± (n,m) is true if and only if 

ji 

(B ) (H, m) = Xfii [■?"] (n, m) = True 
Assuming <t>,- = <t> g ±, since (i, (ft)) G def (V), we have s' B± (n) = s' B± (n). Since 

A s " (n) = Xb^ («. = Xb^ («, m) 

we obtain the thesis. 
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Now we prove a special case of the statement that the realizability of a formula implies the formula 
itself. Namely, we show that t realizes _L implies _L. The idea, as we have explained before, is to find 
a state s which contains all the information needed to evaluate t. 

Theorem 3 (Consistency of Interactive Realizability) For every closed term t of &ctam t JHfl. In- 
particular, for every state s, there exists a state s' >s such that ?Jlfy_L. 

Proof. Suppose, for the sake of contradiction, that there exists a term t such that 1 1 1 1 — _L. Let s be 
any state. Since t : U, by theorem|2]we have t £ ||U|| and therefore there exists a state r > s such that 
t 4T. Let t[r] = U for some update U. Since t llh r J_, U is non-empty: let (i,n,m) £ £/. By application 
of theorem 12 if <t>, = <J>a, there exists a state q > r such that XA(n,m) J?. By definition, 

A q (n,m) =XA{n,m)[q] =b 

for some boolean ft. Since ? Ilh ? _L and t[q] = U (because t 4T and g > r), we obtain by definition of 
realizability that b = True. Let qi(n) = I. We have two possibilities: 

1. A(n,l) is false. We define the state 

s' := Ajc n Ay n . if x = / A Boo i V = (") then m else ^(y) 

Then, s' > q, for A(H, I) is false. Moreover, since XA(n,m) for all > q, XA(n,m)[q'} = b; 
by Proposition |2l there exists q' > q, such that XA{n,m)[q'] = True if and only if A(n,m) is 
true. Since Xa (n, m) [q'\ = b = True, we have that A(n,m) is true. By assumption on t, we have 
t llhy -L and = U, because s' > r. Since j'-(n) = m, by definition of f llhy _L we would have 
both A s (n,m) = False and A s (n,m) = True, which is a contradiction. 

2. A(n, I) is true. By Proposition |2l there is a state s' > q such that A s ' (n,l) = True. By assumption 
on t, we have t llhy _L and = ?7. But = /, A(H,Z) is true and s' > q; therefore (i,n) £ 
def(^r) and hence s'^n) = I. By definition of t llhy _L, we would have A s (n,l) = False and 
A s (n,m) = True, which is in contradiction with A s (n,l) = True. 

Finally, we are in a position to prove in HA 63 + EM that the realizability of a formula A implies its 
truth. For simplicity we assume A is a — Hfree, but the result holds also in the general case. 

Theorem 4 (Soundness of Realizability) Let A be any —t-free arithmetical formula and suppose t llh 
A. Then A is true. 

Proof. We prove a stronger statement. Let s be a state and suppose that for all s' > s, t llhy A. We 
prove by induction on A, that A is true. 

• A = P, with P atomic. Suppose, by the way of contradiction, that P is false. Then we have that 
for all s' > s, t llhy L, which is impossible by Theorem [3] 

• A = B A C. Then, for all s' > s, t llhy A and f llhy B. By induction hypothesis A and B are true, 
and we obtain the thesis. 

• A = BVC. By Theorem|2l there exists a state r > s such that po? i r . Let po?[r] = b with & boolean, 
say b = True. Then, by defintion, for every r 1 > r, pot[r'] = True and therefore t llhy A. By 
induction hypothesis A is true, and we obtain the thesis. 
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• A = Vx N 5. Let n be any numeral. Then, for all s' > s, tn llhy B(n). By induction hypothesis B(n) 
is true. Therefore, Vx n B is true, and we obtain the thesis. 

• A = 3x N B. By Theorem [2l there exists a state r > s such that n^t 4T. Let Tiot[r\ = n with n 
numeral. Then, by definition, for every r' > r, TiQt[r'] = n and therefore t III-/ B(n). By induction 
hypothesis B(n) is true, and we obtain the thesis. 

Since all the proofs given in this section are formalizable in HA 63 + EM (see Section [5]), we are 
able to prove the conservativity of HA ffl + EM + SK over HA ffl + EM for arithmetical formulas. 

Theorem 5 (Conservativity of HA ffl + EM + SK over HA ffl + EM) Let A be a closed arithmetical for- 
mula, and suppose 

HA ffl + EM + SK h A 

Then: 

HA ffl + EM \- A (1) 
HA + EMhA (2) 

Proof. 

1 . We may assume that A is — »-free. Otherwise, 

HA ffl + EM hAf>S 

with B — )-free and we consider B. Since V is arbitrary, we may assume that all the subfor- 
mulas of the instances of EM and SK used in the derivation belong to P. By formalization 
of the Adequacy Theorem Q] in HA ffl (see Section [5]), we obtain that HA 60 h t 1 1 1 — A for some 
term t of ^ ]ass . By formalization of the proof of Theorem |4] in HA ffl + EM, we obtain that 
HA ffl + EM h (t III— A) -> A. We conclude H A ffl + EM h A. 

2. There are at least two ways to obtain the thesis. On one hand, we may use (Q} and the standard 
result about the conservativity of HA ffl + EM over HA + EM for arithmetical formulas (see for 
example Troesltra [24]). On the other hand, we may code directly terms of system ^ lass into 
natural numbers and then express the proofs of point 1) in HA + EM (see Section[5]>. 

5 Formalization of the Proofs in PA and in H A w + EM 

In this section we explain how to formalize in PA and H A ffl + EM the proof of the Adequacy TheoremQ] 
of Section[3]and the proofs of the Computability Theorem[2]and the Soundness Theorem|4]of Section 
IU We start with the case of PA. 

5.1 Formalization in PA 

One can routinely code in PA all the concepts we have so far used. As in Tait l22l . one may code the 
terms of ^ ass with natural numbers and successively the definition of the realizability and computabil- 
ity predicates with arithmetical formulas. Since neither set-theoretic concepts nor Skolem axioms are 
employed in any of the given proofs, everything can be coded in PA. 
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5.2 Formalization in HA ffl + EM 

Instead of coding everything into natural numbers, which is of limited practical interest, it is more 
satisfying to formalize our proofs directly in HA ffl + EM. There is no serious obstacle to this end, 
except for a small formalization issue: the notion t[s] of evaluation of a term t of J^. lass in a state 
s, which we have heavily used in the definitions of the realizability and computability predicates, is 
not directly representable in HA 60 + EM. To begin with, terms of ^ lass may contain some constant 
<t> G J7"to which does not belong to the language of H A ffl . This problem is easily solved by considering 
terms of the form t [s] with s state variable. However, in the definition of Interactive realizability for 
implication and in the statement of the Computability Theorem one needs to define formulas x 1 1 1 — A 
and x G ||N||, where x is a variable. In these definitions it is necessary to speak about the substitution of 
an actual state s in the body of a variable x, which is impossible in HA ffl (remember that x represents 
a term t[s] of 2T). This last issue is overcome quite easily by considering in place of a term t : z in 
^ lass the term A.y s .f [.s] : S — > z, where S := N 2 — > N is the type of states. In this way, one makes explicit 
the functional dependence of t from the state s and transforms t into an object having a semantical 
denotation. It is however necessary to slightly adapt the definitions of realizability and computability, 
which is what we are going to do. 

First, we give an alternative definition of Interactive realizability, which is shown in [4] to be 
equivalent to Kreisel's modified realizability for HA ffl applied to some Friedman translation of formu- 
las. We denote with Jzf the restriction of the language ^ ams to the formulas not containing any Skolem 
function constant <t> € '. 

Definition 12 (Alternative Definition of Interactive Realizability) Assume s : S is a closed term of 
3?, t is a closed term of 3* , D G Jzf is a closed formula of 'Jzf, and t : \D\. We define by induction on 
D the relation t \\- s D: 

1. t Ihj Q if and only ift = U implies: 

• for every (i,fi,m) G U, <t>; = ^Afar some A G V, and A s (n,Si(n)) = False andA s (n,m) = 
True. 

• U = implies Q = True 

2. t lh v AAB if and only ifTl^t \\- s A and TZ\t W s B 

3. t \h s A y B if and only if either po? = True and pif mr A, or K§t = False and pi? mr B 

4. t \\- s A — > B if and only if for all u, ifu \\- s A, then tu \h s B 

5. t lh v Vx T A if and only if for all closed terms u : z of 2? , tu \r s A[u/x] 

6. t Ihj Bx^A if and only for some closed term u : z of 2? , %$t = u and K\t \Y s A\ujx\ 

One can prove straightforwardly, as in H, that our first Definition [9] of Interactive realizability is 
equivalent to this alternative one. 

Theorem 6 (Characterization of Interactive Realizability) Let t G 3? aass and s be a state. Then, for 

every B G Jzf c/flSI 

t llh.v B <=^ t[s]\h s B[s] 
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Theorem [6] allows us to replace in our conservativity proof the expression t III — A with the ex- 
pression Vj s ./[j] lh s A[j], which is a formula of HA ffl . Moreover, the Adequacy Theorem for lh is 
formalizable in HA 65 , since it is a special case of the Adequacy Theorem for modified realizability, 
which is formalizable in that system (see (251). 

Secondly, we adapt the notion of computability to terms of type S — > z. For every pair of terms 
t,u G 2F respectively of type S — > (a — > z) and S — > G, we define the following notion of application: 

t • m := Xs s .ts(us) 

For every term t G 2? of type S — > (Tq x Ti) and i G {0, 1}, we define the following notion of 
projection: 

7T,f := Xs s .7ijts 

Finally, for every constant term c ^ y^, we define c* := Xs s c. We now adapt Definition [TOl and 
Definition [TTJ Since there is no possibility of confusion, we maintain the same notations of Section [4] 
but with the new specified meaning. 

Definition 13 (Definition of a term in a state s) For every state s and term t : S — >• z of 2? with z 
atomic type, we define t J? (and we say "t is defined in s") as the statement: for all states s' > s, 
ts' = ts. 

Definition 14 (Computable terms) 

For every type z of 2?, we define a set of closed terms of 2? of type S — > z as follows: 

• ||N||={f : S — > N | for all states s there is a state s' >s such that t ^ } 

• 1 1 Bool 1 1 ={t : S — > Bool | for all states s there is a state s' > s such that t ^' } 

• [|U||={f:S— >■ U | for all states s there is a state s' > s such that t ^ s } 

• ||t — >■ c||={f | Vw g ||t|| t-uG ||c||} 

• ||t x (r||={f | not & \\z\\and n\t € ||cr||} 

The proofs of Lemma[2]and of the Computability Theorem can be easily adapted (for details, see 
the full version of this paper |[8l). 

Lemma 3 For every term t : S — > p of 2?, if for every state s there exists a state s' >s and u 6 ||p || 
such that for all states s" > s', ts" = us", then t € \\p ||. 

Theorem 7 (Computability Theorem) 

Let v : Z be a term of 2*a ms and suppose that all the free variables of v are among x° l ,.. . ,x%". If 
t\ € ||oi||,...,f n € ||(7„||, then Xs s .v[s][tis fx" 1 , ... ,t n s /x%"] G ||t||. 

The proofs of Proposition [2] and Theorem [3]remain exactly the same, while the proof of Theorem[4] 
can be straightforwardly adapted. In particular, in the base case of the induction one needs to prove 
that a term t, possibly with free variables of type N, is computable. This follows from Theorem |7] and 
the fact that it is possible to prove by induction the statement Vx w . Xs s x G ||N||. 
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